CVE-2024-37486: 
WordPress vulnerability analysis and mitigation

An SQL Injection vulnerability (CVE-2024-37486) was discovered in the Paid Memberships Pro WordPress plugin affecting versions up to 3.0.5. The vulnerability was reported on June 26, 2024, by security researcher Trương Hữu Phúc and publicly disclosed on July 4, 2024. This security issue affects the plugin's functionality and requires administrator-level access to exploit (Patchstack).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) with a CVSS v3.1 base score of 7.2 (HIGH) according to NVD assessment (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). Patchstack assigned a slightly higher CVSS score of 7.6 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L (NVD).

The vulnerability could allow an authenticated attacker with administrator privileges to directly interact with the database, potentially leading to unauthorized data access or manipulation. The impact is considered high for confidentiality and integrity, with potential system compromise (Patchstack).

Users are advised to update to Paid Memberships Pro version 3.0.6 or later to remediate this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to a fixed version (Patchstack).